California passed the strongest privacy law in America. A new survey finds companies -- including Google and Meta -- are violating it at industrial scale. Enforcement has been minimal. The Violations The Markup's April 2026 investigation found: 73% of major websites failed to honor "Do Not Sell My Personal Information" requests Google secretly lobbied against consumer privacy bills while publicly staying neutral Data brokers deliberately buried opt-out pages from search engines California Delete Act passed but companies routinely ignore compliance deadlines CPPA enforcement actions lagging with only 12 formal actions in 18 months The Industrial Scale Privacy violations are not occasional oversights. They are engineered business practices: Intentionally complex opt-out procedures requiring 15+ clicks Dark patterns steering users away from privacy settings Third-party trackers loaded before consent is obtained "Legitimate interest" claims bypassing explicit consent requirements This is consistent with what dark patterns research has documented across the industry. Companies do not accidentally violate privacy laws -- they design compliance out of the user experience. Why Nothing Happens The CPPA is underfunded, understaffed, and outmatched. With a $10M annual budget against companies with $100B+ market caps, fines are treated as cost of business. Until penalties scale with revenue, compliance is optional. What You Can Do Despite weak enforcement, the CCPA/CPRA gives California residents real rights -- if you exercise them. The California data broker opt-out tool can automate some of the process. The complete data deletion guide covers removal steps beyond California law. The FTC's 2026 strategic plan signals more aggressive federal enforcement, but progress remains slow. The law exists. The enforcement does not.